(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations are located in the TOMCAT_HOME/config directory. ">Now that we know where to look, lets go over the incident. A system was discovered to be compromised so I started our IR process. When looking at the processes running, a process was quickly changing its name and running as root. ">qymasclks 10346 root ">">05:58:38,493137,mac.,-rw-r--r--,0,0,0,/usr/share/apache-tomcat-7.0.65/webapps/eei.war">Tue Dec 01 2015 05:58:38,69334,.ac.,-rw-r--r--,0,0,0,/usr/share/apache-tomcat-7.0.65/webapps/eei/a.jsp

">There is a new file eei.war that has been created. Lets take a look at the log files and see what we can get from that time frame. ">#fgrep Dec 01, 2015">INFO: Deployment of web application archive /usr/share/apache-tomcat-7.0.65/webapps/eei.war has finished in 118 ms

">You can see that a new application has been deployed, which means the attacker had access to the Tomcat admin. Let look at the access_logs to see if we can get more detail.

">#fgrep 01/Dec/2015"> - - [01/Dec/2015:05:58:08 -0500] GET /manager/html HTTP/1.1">[01/Dec/2015:05:58:09 -0500] GET /manager/html HTTP/1.1"> - admin [01/Dec/2015:05:58:39 -0500] ">?org.apache.catalina.filters.CSRF_NONCE=4C0343589816E985E2010C618944EF5A HTTP/1.1"> - - [01/Dec/2015:05:58:43 -0500] GET /eei/ HTTP/1.1"> - - [01/Dec/2015:05:58:45 -0500] POST /eei/ HTTP/1.1"> - - [01/Dec/2015:05:58:49 -0500] GET /eei/?action=command HTTP/1.1"> - - [01/Dec/2015:05:58:55 -0500] ">HTTP/1.1"> - - [01/Dec/2015:05:58:58 -0500] POST /eei/?action=command HTTP/1.1">Lets see how the attacker was able to gain access as the admin user to the manager site. By viewing the tomcat-users.xml file, we can see that the default username is being used.

">--">">The package that was installed was jsp File browser 1.1a">MD5 filehash: ">">">cac58ebacb036f706d58ec9f47ee64cc, eei.war

ocs-internal-guid-44177342-cddb-b5f0-3370-1ae13640d4b3">">filename: ">">">">">">kill.sh

">filepath: ">/lib/udev

"> (C.rar download every 30 min)


Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux Kernel CVE-2015-5157 Local Privilege Escalation Vulnerability
Red Hat Enterprise Linux 'USB Device Descriptor' Local Denial of Service Vulnerability
Linux Kernel 'fs/udf/inode.c' Denial of Service Vulnerability
Linux Kernel UDF File System Multiple Local Denial of Service Vulnerabilities


Information security: How does SA measure up?
There is a general lack of security awareness globally among businesses' operational staff that is leading to information security risk. Top level management does not understand the risks associated with a breach, and is unable to see the business ...

and more »
Linux Kernel CVE-2016-0728 Local Privilege Escalation Vulnerability
Oracle Java SE CVE-2016-0448 Remote Security Vulnerability
Oracle Java SE CVE-2016-0402 Remote Security Vulnerability

Cisco released an advisory revealing a critical vulnerability in Ciscos ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)

[Update] Also see this writeup with LOTS of details"> crypto map | include interface

is vulnerable if a crypto map is returned.

There is no workaround, but Cisco has released patched firmware for affected devices.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Infosec pros still pressured to release unsecure projects: Survey
IT World Canada
Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren't fully secure, according to an international survey. The survey, paid for by Trustwave ...

and more »
Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

I am currently working on an easy way to turn a Raspberry Pi into a DShield sensor. If you would like to, you can try the current beta version of the software. Feedback is very much appreciated. To get started:

  • Install Raspbian Jessie on your Pi">sudo raspi-config and select expand roofs
  • you will need the e-mail address, the numeric userid and the authkey for your ISC/DShield account. You can retrieve it here:">git clone https://github.com/DShield-ISC/dshield.git
  • run the install script sudodshield/bin/install.sh
  • enjoy (hopefully... and please let me know what works/doesnt work, if possible by entering an issue with githubhttps://github.com/DShield-ISC/dshield/issues ) .

Important: The install script will move the SSH server to port 12222. So the next time you connect after a reboot, you will need to connect to that port (ssh -p 12222 [email protected][your pi IP]) . The reason we do this is to keep port 22 free for an ssh honeypot.

In order to make the Raspberry Pi a useful sensor, you need to expose it to network traffic. For example, you could use your routers DMZ feature to expose the system. Other Raspbian versions may work, and if you do have one, by all means test it and let me know how it goes.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday.

Identity thieves made the haul by using taxpayers' personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them.

No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.

Read 3 remaining paragraphs | Comments


Google has confirmed a number of changes to Gmail with the arrival of two new features that will let you know if the people you’re corresponding with aren’t hip with TLS encryption.

The alterations are fairly subtle: when you receive a message from, or are on the brink of sending a message to, someone using a service that doesn’t support encryption, you’ll see a broken lock in the top-right of the screen. Clicking on the icon will bring up a pop-up alert with an explanation and a warning to perhaps consider removing the offending recipient.

Likewise, if you receive a message that can’t be authenticated, you won’t be hit by klaxon alarms. Instead, Gmail will replace the sender's profile photo with an incriminating question mark, identifying them as potentially suspicious. What you do with that information after that, of course, is entirely up to you. Despite the advent of this new warning system, Google stresses that not all affected messages are necessarily harmful. It's just better to practice caution.

Read 3 remaining paragraphs | Comments

Remote Code Execution in Exponent
Apache Sling Framework v2.3.6 - Information Disclosure Vulnerability
Getdpd Bug Bounty #6 - (Import - FTP) Persistent Vulnerability
MyScript Memo v3.0 iOS - (Mail) Persistent Vulnerability
File Sharing Manager v1.0 iOS - Multiple Web Vulnerabilities
VP2016-001: Remote Command Execution in File Replication Pro

On Wednesday, Rep. Ted Lieu (D-Calif.) and Rep. Blake Farenthold (R-Tex.) introduced a new bill in Congress that attempts to halt state-level efforts that would weaken encryption.

The federal bill comes just weeks after two nearly identical state bills in New York state and California proposed to ban the sale of modern smartphones equipped with strong crypto that cannot be unlocked by the manufacturer. If the state bills are signed into law, current iPhone and Android phones would need to be substantially redesigned for those two states.

Lieu and Farenthold’s federal bill would need to pass both the House of Representatives and the Senate as well as be signed by the president in order to take effect. If that happens before the state bills are enacted, it would pre-empt them.

Read 23 remaining paragraphs | Comments

SEC Consult SA-20160210-0 :: Yeager CMS Multiple Vulnerabilities
ManageEngine Eventlog Analyzer Privilege Escalation v10.8
dotDefender Firewall CSRF
Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216)
ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities
Internet Storm Center Infocon Status